Linux by Trial and Error

A repository of the things I learn about Linux

Create Self-Signed Certificate Authority in CentOS 6.3

First, a little housekeeping…

The pertinent details of my setup are that I’m running CentOS 6.3 and using the Virtual Machine Manager from the standard CentOS repositories. I created a VM with 15GB of disk and 1GB of memory to build my server. Not the most powerful system in the world, but sufficient to experiment with.

The OS for my VM was installed using the CentOS 6.3 minimal installation .iso so that it didn’t have any bells or whistles installed…just the basic OS. I pretty much did a default installation as I was not concerned with how my hard disk was partitioned as this was going to just be a scratch system.

The following steps were performed verbatim. In other words, since I just created this VM for the sole purpose of documenting these steps, I’m not masking anything. All input is exactly how I’m inputting it at the various prompts. The domain that I used really is example.com and the passwords that I’m putting are the ones that I actually used. By the time you read this, my VM will be destroyed or rebuilt anyway, so it’s not exactly risky to include all the details I used, but I felt it would help to reduce confusion.

After the OS install, I set up the networking and then did a ‘yum update’ to get all my packages up to date. I’m not going to go into detail on all that here as that information is readily available all over the Internet. If you can’t get that far, you’re probably not ready to do this yet, anyway. The openssl package was already installed with the minimal installation.

Now…onto my Certficate Authority setup…

  1. Change directory to the default CA directory:
    # cd /etc/pki/CA
  2. Create an index file for new certs:
    # touch index.txt
  3. Set first certificate number:
    # echo ’01’ > serial
    # echo ’01’ > crlnumber
  4. Create your CA cert and private key for your CA server:
    # openssl req -new -x509 -extensions v3_ca -keyout private/ca-cert.key -out certs/ca-cert.crt -days 365
    Enter PEM pass phrase: PassPhrase
    Confirm PEM pass phrase: PassPhrase
    Country Name: US
    State: Kansas
    City: Topeka
    Organization: Example
    Organizational Unit: Example
    Common Name: CA
    E-mail Address: root@example.com
  5. Set permissions on your private key:
    # chmod 400 private/ca-cert.key

Now, you’re ready to sign certificate requests. When you get a new certificate request, the following is what I did to generate a new cert signed by my very own CA:

  1. From your CA server, change directory to /etc/pki/CA
    # cd /etc/pki/CA
  2. Copy your certificate request to the /etc/pki/CA/crl directory
    # cp /root/ds1.csr /etc/pki/CA/crl
  3. Sign your cert using your CA
    # openssl ca -in crl/ds1.csr -out newcerts/ds1.pem -keyfile private/ca-cert.key -cert certs/ca-cert.crt
    Sign cert? y
    Commit? y

If you get an error about your stateOrProvinceName needing to be the same and it shows that they do, in fact, appear to be the same, what fixed that for me was editing the /etc/pki/tls/openssl.cnf file and setting the value ‘string_mask’ to ‘pkix’ and regenerating my CA cert (Step 4 above).

Hopefully, this will give you all the information you need to set up your CA so that you can sign your own certificates. Keep in mind that this does not mean that other systems/companies/whoever will actually trust your CA, or the certificates that you sign from it. But, for private, internal use you get to control which CA’s you trust and you can add your own to your list of Trusted CA’s.

If you have any questions or if anything is incorrect or unclear, please let me know. My purpose here is to document the steps I took to do this, so they seem to have worked correctly when I did them as described, but that does not mean that there isn’t a better, more efficient way to do it. Feedback is always welcome

Advertisements

March 21, 2013 - Posted by | certs | , , ,

9 Comments »

  1. […] is essentially a continuation of my last post because I needed to set up a CA to sign certs in order to configure my Directory Server to use TLS. […]

    Pingback by LDAP Directory Server on CentOS 6.3 Using TLS « Linux by Trial and Error | June 22, 2013 | Reply

  2. ds1.csr is missing.there is no such file.so how can i find it

    Comment by kavinda perera | October 31, 2013 | Reply

  3. The file name for step 5 should be ca-cert.key, not ca-key.key .

    Comment by Glenn Picher | March 17, 2014 | Reply

    • @Glenn,

      Thanks for noticing that. I’ve made the correction.

      Comment by danjcarrington | March 17, 2014 | Reply

  4. Could you add a step that shows how to generate a certificate request in order to see “how” it gets signed?

    Thanks.

    Jay Johnson

    Comment by Jay Johnson | March 19, 2014 | Reply

    • Disregard… I “think” I just realized that I “was” generating certificates based on another article I was following along with that required me to get a certificate signed in order to use TLS with may voice server:

      https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

      I believe what I need to do now is copy the (in the article’s example) “malcom.csr” file into the “/etc/pki/CA/crl” directory and it will “sign” my certificate, thus creating the additional “.pem” and “ca-cert.key” files, correct?

      Jay

      Comment by Jay Johnson | March 19, 2014 | Reply

      • Making progress, but now I’m getting “The mandatory countryname field is missing.” I can see from the previous steps of #1 thru #5 in the first section that the countryname is there; why would it now be missing in steps #1 thru #3?

        Jay

        Comment by Jay Johnson | March 19, 2014

  5. @Jay

    It’s been a while since I’ve done this. If I can find some time I will build a VM to go through this again and see if I can find whatever might be missing. I just wrote down what I did the first time around, but I will have to look into why you’re getting th country code error. I would think it should be there from when you went through the first part.

    Thanks for the feedback.

    Comment by danjcarrington | March 20, 2014 | Reply

  6. @kavinda

    I will have to go through this myself again to see if I can find the answer to your question. This is a fairly old post so I don’t recall a lot if the particulars. I will go through this again when I can to answer your question and Jay’s question.

    Thanks for the comment!

    Comment by danjcarrington | March 20, 2014 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: